How to Develop Key Performance Indicators for Security

Similar documents
Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

K12 Cybersecurity Roadmap

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Cyber Protections: First Step, Risk Assessment

CyberSecurity: Top 20 Controls

TIPS FOR AUDITING CYBERSECURITY

Automating the Top 20 CIS Critical Security Controls

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

ISE North America Leadership Summit and Awards

Designing and Building a Cybersecurity Program

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Tripwire State of Cyber Hygiene Report

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

CISO as Change Agent: Getting to Yes

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

THE POWER OF TECH-SAVVY BOARDS:

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

CIS Controls Measures and Metrics for Version 7

WHO AM I? Been working in IT Security since 1992

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

CIS Controls Measures and Metrics for Version 7

Les joies et les peines de la transformation numérique

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Putting the 20 Critical Controls into Action: Real World Use Cases. Lawrence Wilson, UMass, CSO Wolfgang Kandek, Qualys, CTO

How Breaches Really Happen

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Managing IT & Election Systems. U.S. Election Assistance Commission 1

NEN The Education Network

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Building Secure Systems

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Decoding security frameworks for effective cyber defense. David Allott McAfee

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

ETSI TR V1.1.1 ( )

Monthly Cyber Threat Briefing

Critical Hygiene for Preventing Major Breaches

TEL2813/IS2820 Security Management

CompTIA CASP (Advanced Security Practitioner)

Security Management Models And Practices Feb 5, 2008

The Common Controls Framework BY ADOBE

Back to Basics: Basic CIS Controls

Cybersecurity Session IIA Conference 2018

Security Policies and Procedures Principles and Practices

Cybersecurity Today Avoid Becoming a News Headline

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Protecting your data. EY s approach to data privacy and information security

the SWIFT Customer Security

Mapping Cyber-Protections to Regulatory Requirements for Fintech

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Defensible Security DefSec 101

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Tech TV Series. Lisa Niles CISSP, Chief Solution Architect

Certified Information Security Manager (CISM) Course Overview

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Streamlined FISMA Compliance For Hosted Information Systems

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

The CIS Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can

Sage Data Security Services Directory

Building Resilience in a Digital Enterprise

NIST CyberSecurity Framework+ Brian Ventura SANS Community Instructor ISSA Portland, Director of Education Information Security Architect, City of

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

2 The IBM Data Governance Unified Process

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Daxko s PCI DSS Responsibilities

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

CYBERSECURITY MATURITY ASSESSMENT

IT risks and controls

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Jeff Wilbur VP Marketing Iconix

Security Metrics Framework

Education Network Security

BHConsulting. Your trusted cybersecurity partner

Effective Cyber Incident Response in Insurance Companies

Privacy Implications Guide. for. the CIS Critical Security Controls (Version 6)

TRIPWIRE VULNERABILITY RISK METRICS CONNECTING SECURITY TO THE BUSINESS

Lessons from the Human Immune System Gavin Hill, Director Threat Intelligence

Consolidation Committee Final Report

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

External Supplier Control Obligations. Cyber Security

Cyber Risks in the Boardroom Conference

MIS Week 9 Host Hardening

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

Developing a Model for Cyber Security Maturity Assessment

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Why you should adopt the NIST Cybersecurity Framework

Objectives of the Security Policy Project for the University of Cyprus

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Security Standards for Electric Market Participants

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Do You Know Your Organization's Top 10 Security Risks?

Transcription:

SESSION ID: How to Develop Key Performance Indicators for Security James Tarala Principal and Senior Instructor Enclave Security / The SANS Institute @isaudit

Laying a Foundation For metrics to be effective, organizations must define their goals Most organizations have not taken the time to define their intentions for security We need more detailed metrics than don t get breached Before we can define metrics, we have to lay a foundation 2

An Architecture for Security Program Management To lay a solid foundation, organizations must: 1. Document a security program charter 2. Empower stakeholders to govern the program 3. Clearly document their intentions (policies) 4. Establish their priorities for defense 5. Create a plan for quality management 6. Define specific measures / metrics for success 7. Regularly report to key stakeholders / leadership 3

WARNING! There are no shortcuts! If organizations skip steps in the process, they are bound for frustration, confusion, and failure It s time for our industry to grow up and do the hard things 4

Defining Appropriate Controls Security defenses are generally derived from three places: Regulatory requirements Industry standards Contractual obligations It is pointless to define measures, if goals have not been defined 5

Popular Security Control Standards 6

The Center for Internet Security (CIS) Controls Official home of the Critical Security Controls Not-for-Profit group responsible for managing the CIS Controls Utilizes a volunteer army of contributors to define defense Responsible for maintaining community efforts such as: Security benchmarks Security metrics CIS Controls Managing the MS-ISAC 7

The Center for Internet Security (CIS) Controls (cont) 1. Inventory and Control of Hardware Assets 2. Inventory and Control of Software Assets 3. Continuous Vulnerability Management 4. Controlled Use of Administrative Privileges 5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 6. Maintenance, Monitoring, and Analysis of Audit Logs 7. Email and Web Browser Protections 8. Malware Defenses 9. Limitation and Control of Network Ports, Protocols, and Services 10. Data Recovery Capabilities 11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches 12. Boundary Defense 13. Data Protection 14. Controlled Access Based on the Need to Know 15. Wireless Access Control 16. Account Monitoring and Control 17. Implement a Security Awareness and Training Program 18. Application Software Security 19. Incident Response and Management 20. Penetration Tests and Red Team Exercises 8

Key Principles for Version 7.0 & 7.1 1. Improve the consistency and simplify the wording of each sub-control 2. Implement one ask per sub-control 3. Bring more focus on multi-factor authentication and application whitelisting 4. Account for improvements in security technology and emerging security problems 5. Better alignment with other frameworks (e.g., the NIST CSF) 6. Support for the development of related products (e.g. measurements/metrics, governance, and implementation guides) 7. Definition of control levels based on organizational demographics 9

Controls, Measures, Metrics, Maturity Controls Measures Metrics Maturity

Start with Attestations Start the process with simple interviews There s no reason for a deep dive if the basics are not done Tool available at: www.auditscripts.com 11

Six Sigma and the CIS Controls Starting in version 7.0 of the CIS Controls, Six Sigma was adopted to be the quality management program for the controls Six Sigma is a quality program that, when all is said and done, improves your customer s experience, lowers your costs, and builds better leaders. Jack Welch, GE Purpose was to define thresholds for maturity for each defined measure Organizations do not need to be perfect, but this allows them to define a standard for what is acceptable risk 12

Controls, Measures, and Metrics Example Maintain detailed asset inventory What percentage of the organization's hardware assets are not presently included in the organization's asset inventory? One Two Three Four Five Six 69% or 31% or 6.7% or 0.62% or 0.023% or 0.00034% or 13

More Sample Measures / Metrics (CIS Control #1) Measure One Two Three Four Five Six What percentage of the organization's networks have not recently been scanned by an active asset discovery tool? 69% or 31% or 6.7% or 0.62% or What percentage of the organization's networks are not being monitored by a passive asset discovery tool? 69% or 31% or 6.7% or 0.62% or What percentage of the organization's DHCP servers do not have logging enabled? 69% or 31% or 6.7% or 0.62% or 0.023% or 0.023% or 0.023% or 0.00034% or 0.00034% or 0.00034% or What percentage of the organization's hardware assets are not presently included in the organization's asset inventory? 69% or 31% or 6.7% or 0.62% or 0.023% or 0.00034% or What percentage of the organization's hardware assets as a whole are not documented in the organization's asset inventory with the appropriate network address, hardware address, machine name, data asset owner, and department for each asset? 69% or 31% or 6.7% or 0.62% or 0.023% or 0.00034% or What percentage of the organization's unauthorized assets have not been removed from the network, quarantined or added to the inventory in a timely manner? 69% or 31% or 6.7% or 0.62% or 0.023% or 0.00034% or What percentage of the organization's network switches are not configured to require network-based port level access control for all client connections? 69% or 31% or 6.7% or 0.62% or 0.023% or 0.00034% or What percentage of the organization's network switches are not configured to require network-based port level access control utilizing client certificates to authenticate all client connections? 69% or 31% or 6.7% or 0.62% or 0.023% or 0.00034% or 14

Defined Measures / Metrics Lead to Automation Asset Inventory Database Network Level Authentication (NLA) Public Key Infrastructure (PKI) Alerting / Reporting Analytics System Active Device Discovery Passive Device Discovery Computing Systems 15

Automation Leads to Reporting Automated measures can be aggregated and reported to leadership using standardized software platforms 16

The Future of Information Security Cyber hygiene has been defined We have standards of care Information security is a business intelligence problem Automated measures show the way 17

Call to Action Every organization is at a different place in the journey Remember the basics: 1. Document a security program charter 2. Empower stakeholders to govern the program 3. Clearly document their intentions (policies) 4. Establish their priorities for defense 5. Create a plan for quality management 6. Define specific measures / metrics for success 7. Regularly report to key stakeholders / leadership 18

Operationalizing Security Program Metrics Next week you should: Download the free resources at cisecurity.org & auditscripts.com Decide which standards will drive your security program In the first three months following this presentation you should: Create / review your security program charter Evaluate / update your security policy library to reflect your goals Within six months you should: Choose 5-10 measures to report to senior leadership 19

For More Information James Tarala E-mail: james.tarala@enclavesecurity.com Twitter: @isaudit Resources for further study: The Center for Internet Security Resources (www.cisecurity.org) AuditScripts.com Resources (www.auditscripts.com) SANS CIS Controls Courses SEC 440 / 566 The Project Management Institute Resources (www.pmi.org)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback